The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The right to privacy is guaranteed by South Korea’s Constitution. South Korea also has data protection laws, including a law specifically to protect location data. However, after the Middle East Respiratory Syndrome outbreak in South Korea in 2015, surveillance was strengthened, and the Infectious Disease Prevention and Control Act has a provision that overrides the location information law. People must cooperate with epidemiological investigations. Persons who are required to self-quarantine are monitored, and violators can face criminal punishment. The movements of infected or quarantined people are monitored by the use of credit cards, the location information of smartphones and, in some cases, electronic wristbands.
According to the website of the Ministry of Health and Welfare (MOHW), confirmed cases of COVID-19 totaled 11,142 as of May 22, 2020. The number of deaths was 264.
Smartphone ownership in South Korea is high. About 95% of South Koreans own a smartphone—the highest nationwide level of smartphone ownership in the world. Older people have switched to smartphones in recent years. In 2019, about 80% of people in their 60s had smartphones.
II. Legal Framework
A. Privacy and Data Protection
The South Korean Constitution has a provision guaranteeing the right to privacy. Korean courts recognize a tort of invasion of privacy. The Act on the Protection, Use, etc. of Location Information (Location Information Act) regulates the use of location information to protect against its misuse.
There are several laws that protect personal data. Among them, the Personal Information Protection Act (PIPA) is the comprehensive general data protection law. PIPA states the general principles for handling personal information. For example, a personal information controller must specify explicitly the purposes for processing personal information and collect personal information lawfully and fairly to the minimum extent necessary for such purposes. A personal information controller must not use it beyond those purposes. A personal information controller must manage personal information safely. A 2020 amendment that will become effective in August 2020 states further that, if it is still possible to fulfill the purposes of collecting personal information by processing anonymized or “pseudonymised” personal information, the personal information controller shall endeavor to do so.
There are also sector-specific laws for protection of personal information, such as the Act on Promotion of Information and Communications Network Utilization and Information Protection, as well as the Credit Information Use and Protection Act.
B. Data Retention and Location Tracking
The Location Information Act defines “personal location information” as information about a place where a particular person exists or has existed at a certain time, which is collected using telecommunications equipment facilities. It includes information readily combinable with other information to track the location of a particular person even though location information alone is not sufficient to identify the location of the person.
The Location Information Act prohibits the collection, use, or provision of location information regarding an individual or mobile object without the consent of the individual or the owner of the mobile object. In a case of an emergency rescue or as otherwise provided by other laws, such consent is not required. The Act also requires that when a person lends an object with devices capable of collecting location information, the person must notify the borrower of the fact that the object has a built-in location information collection device.
Any person who intends to engage in the business of collecting location information and providing such information to service providers must obtain permission from the Korea Communications Commission (KCC). Only corporations can obtain permission. In addition, any person who intends to engage in the business of providing services based on personal location information must report its trade name, the address of the main office, the type of business, and its location information systems, among other things, to the KCC.
Before collecting location information, a corporation that has obtained permission for a location information business must specify in its terms and conditions the contact information, rights held by the subjects of personal location information, details of its services to a provider of a service that uses personal location information, and the period of data retention, among other things. Any service provider based on location information must do the same before providing service. A corporation that has obtained permission for a location information business and a service provider utilizing personal location information can use or provide personal location information if it is processed in such a way that any specific person cannot be identified, and it is provided for the purpose of statistics, academic research, or market research.
A person who has obtained permission for a location information business and a service provider utilizing personal location information must take managerial and technical measures to prevent the divulging, alteration or impairment of location information in accordance with the government decree. The KCC may examine the measures.
III. Electronic Measures to Fight COVID-19 Spread
Under the Infectious Diseases Control and Prevention Act, the Director of the Korea Centers for Disease Control and Prevention (KCDC), governors, and the heads of municipal governments conduct an epidemiological investigation when an infectious disease breaks out and is likely to become predominant. Epidemiological investigation includes identification of the path of infection and the source of infection by the disease. No one is allowed to refuse, interfere with, or evade the epidemiological investigation without a justifiable reason; to make a false statement; or to intentionally omit any fact. Violations are punishable by imprisonment for not more than two years or a fine not exceeding KRW20 million (about US$16,150).
In addition, in order to prevent the further spread of an infectious disease upon its outbreak, the MOHW or a local government may keep persons suspected of being infected by the pathogen of an infectious disease hospitalized or quarantined in a proper place for a certain period. A recent amendment adds a penalty for violations. A violation is punishable by imprisonment for up to one year or a fine not exceeding KRW10 million (about US$8,080).
South Korea experienced the largest outbreak of the Middle East Respiratory Syndrome (MERS) virus outside of the Middle East in 2015. Following the MERS outbreak, South Korea took measures to strengthen its ability to carry out more accurate epidemiological studies and disease surveillance. The Infectious Diseases Control and Prevention Act was amended in December 2015. Amended article 76-2, paragraph 2, states that, if necessary to prevent infectious diseases and block the spread of infection, the Minister of HOMW and heads of local governments may request law enforcement to provide the location information of patients with an infectious disease and persons likely to be infected by an infectious disease. It further states that, in such cases, the head of the relevant police agency may request any location information provider and any telecommunications business operator to provide location information of the person despite restrictions under the Location Information Act, as well as restrictions under the Protection of Communications Secrets Act. The location information provider and the telecommunications business operator cannot refuse the request except in extenuating circumstances. This provision allows the police to access individuals’ private information, ranging from credit card records to cell phone Global Positioning System data, without a warrant.
In March 2020, the government launched a new system to track the movements of people infected with COVID-19 and their contacts more quickly. The Ministry of Land, Infrastructure and Transport, the Ministry of Science and ICT (Information and Communication Technologies), and the KCDC jointly developed the system. The Korean National Police Agency, the Credit Finance Association, South Korea’s three mobile carriers, and 22 credit card issuers have joined the system.
Additionally, because the number of cases of people breaching the self-quarantine raised concerns, the government announced the use of electronic wristbands on people who violate self-isolation rules to better contain the spread of COVID-19 on April 11, 2020. Although some indicated concern about a breach of privacy, 80.2% of people in a government survey supported the idea of using electronic wristbands to keep track of those under self-quarantine. However, the government cannot force people to wear the wristbands because there is no law requiring it. Since April 27, 2020, if a violator agrees, he or she wears a wristband for two weeks. Some foreign countries have started importing the wristbands and may follow South Korea’s monitoring method.
The Infectious Diseases Control and Prevention Act states that citizens should be provided with detailed information, such as the movement paths, transportation means, and medical treatment institutions and contacts of infected persons. The KCDC and metropolitan and provincial governments release a detailed log of the movements of COVID-19 patients, including the time and name of places they visited, through the media and related websites. Out of privacy concerns, the National Human Rights Commission of Korea called on “the authorities to publish the time and names of locations visited by infected people, rather than providing the travel history of each individual, and specify disinfection and protective measures taken by the public health authorities for these locations.”
Prepared by Sayuri Umeda
Senior Foreign Law Specialist
 Act on the Protection, Use, etc. of Location Information (Location Information Act), Act No. 7372, Jan. 27, 2005, amended by Act No. 16087, Dec. 24, 2018, art. 1, https://perma.cc/7ZCG-VSW2 (unofficial translation as amended by Act No. 14224, May 29, 2016).
 Act No. 16930 art. 3
 Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., Act No. 6360, Jan. 16, 2001, amended by Act No. 16021, Dec. 24, 2018, https://perma.cc/REX2-QVM3.
 Location Information Act art. 2, subparas. 1 & 2.
 Id. art. 15, para. 1.
 Id. art. 15, para. 3.
 Id. art. 5, para. 1.
 Id. art. 5, para. 5.
 Id. art. 9, para. 1.
 Id. art. 18, para. 1.
 Id. art. 19, para. 1.
 Id. art. 21, para. 1.
 Id. art. 16, para. 1.
 Id. art. 16, para. 3.
 Infectious Diseases Control and Prevention Act, Act No. 9847, Dec. 29, 2009, amended by Act No. 17067, Mar. 4, 2020, art. 18, para. 1, https://perma.cc/9GY9-WNSB (unofficial translation, as amended by Act No. 14286, Dec. 2, 2016).
 Enforcement Decree of Infectious Diseases Control and Prevention Act, Presidential Decree No. 22564, Dec. 29, 2010, amended by Presidential Decree No. 30596, Apr. 2, 2020, art. 14, https://perma.cc/G3JE-DSTM (unofficial translation as amended by Presidential Decree No. 29180, Sept. 18, 2018); and Enforcement Rule of Infectious Diseases Control and Prevention Act, art. 14 & att. 1-3, MOHW Decree No. 32, Dec. 30, 2010, amended by MOHW Decree No. 717, Apr. 3, 2020.
 Infectious Diseases Control and Prevention Act art. 18, para. 3.
 Id. art. 79.
 Id. art. 47, subpara. 3
 Id. art. 79-3.
 Act to Partially Amend the Infectious Diseases Control and Prevention Act, Act No. 13639, Dec. 29, 2015.
 Infectious Diseases Control and Prevention Act art. 76-2, para. 2.
 Location Information Act art. 15.
 Infectious Diseases Control and Prevention Act art. 76-2, para. 2 and art. 79-2 (penal provision).
 Infectious Diseases Control and Prevention Act art. 34-2.
Last Updated: 12/30/2020